1. A Semantics for Procedure Local Heaps and its Abstractions
Noam Rinetzky Tel Aviv University
Noam Rinetzky Tel Aviv University
Joint work with
Jörg Bauer Universität des Saarlandes
Thomas Reps University of Wisconsin
Mooly Sagiv Tel Aviv University
Reinhard Wilhelm Universität des Saarlandes

2. Motivation Interprocedural shape analysis Goals
Conservative static pointer analysis
Heap intensive programs
Imperative programs with procedures
Recursive data structures
Goals
Precision
Efficiency

3. Main idea Procedures as local heap transformers call p(x); x x X X y yg X
call p(x); y g t

4. Main Results Concrete operational semantics Abstractions Large step
Functional analysis
Storeless
Shape abstractions
Local heap
Observationally equivalent to “standard” semantics
Java and “clean” C
Abstractions
Shape analysis [Sagiv, Reps, Wilhelm, TOPLAS ‘02]
May-alias [Deutsch, PLDI ‘94] …

5. Outline Motivating example Why semantics
Localized Heap Storeless Semantics
Shape abstraction

6. Example … static void main() { } static List reverse(List t) { } n t nq n q
List x = reverse(p); n p x t r n t r n
List y = reverse(q);
List z = reverse(x);
return r;

7. Example static void main() { } static List reverse(List t) { }
List x = reverse(p); n t n p x n p x n t n n q
List y = reverse(q); n t r n t r n q y
List z = reverse(x);
return r;

8. Example n t n static void main() { } static List reverse(List t) { }
List x = reverse(p); n t
List y = reverse(q); n p x n p x n t q y n q y n
List z = reverse(x); p n x z t r n t r n
return r;

9. Cutpoints
Separating objects
Not pointed-to by a parameter

10. Cutpoints proc(x) Separating objects Not pointed-to by a parameter
Stack sharing

11. Cutpoints proc(x) proc(x) Separating objects
Not pointed-to by a parameter
proc(x)
proc(x) n n n n n n n n n n x p x n n y
Stack sharing
Heap sharing

12. Sharing patterns t n q p t n p x q y t n p q y t n q x y

13. Example static void main() { } static List reverse(List t) { }
List x = reverse(p);
List y = reverse(q); n p x n t n n n p x q y n q y n
List z = reverse(x); p n z x r t n r t n
return r;

14. Outline Motivating example Why semantics
Localized Heap Storeless Semantics
Shape abstraction

15. Abstract Interpretation [Cousot and Cousot, POPL ’77]
Operational semantics  
Abstract transformer

16. Introducing local heap semantics
Operational semantics ~
Part I
Local heap Operational semantics ’ ’
Part II
Abstract transformer

17. Outline Motivating example Why semantics
LSL: Localized Heap Storeless Semantics
Shape abstraction

18. Programming model Single threaded Procedures Heap Value parameters
Recursion
Heap
Recursive data structures
Destructive update
No explicit addressing (&, cast)

19. Simplifying assumptions
No primitive values (reference only)
No globals
Formals not modified

20. Store-based semantics
0x10
0x12
0x14
0x11
0x13
0x0
0x15
x0x10 … n
Object  address
Memory state:
Object: FieldIdAddress
Heap: AddressObject
Natural
Addresses do not affect shape
0x12
0x0
0x10
x0x14 … n ~ x

21. Storeless semantics No addresses Memory state: y=x Alias analysis
Object: 2Access paths
Heap: 2Object
Alias analysis x n x
x.n
x.n.n
y=x x n y
x.n
y.n
x.n.n
y.n.n
x=null y n
y.n
y.n.n

22. Example p? static void main() { } static List reverse(List t) {
return r; }
List x = reverse(p); t n
List y = reverse(q);
t.n.n.n
t.n.n
t.n t
t.n.n n
t.n.n.n t
t.n n n n p
x.n.n.n p
x.n.n
x.n x x
y.n.n n y
y.n q
y.n.n n y
y.n q
List z = reverse(x);
z.n n z x
z.n.n.n
z.n.n z x
r.n n r t
r.n.n.n
r.n.n
r.n n r t
r.n.n.n
r.n.n p?

23. Example static void main() { } static List reverse(List t) { return r;
List x = reverse(p); L t n
List y = reverse(q);
t.n.n.n L
t.n.n
t.n t
t.n.n n
t.n.n.n L t
t.n n n n p
x.n.n.n p
x.n.n
x.n x x
y.n.n n y
y.n q
y.n.n n y
y.n q
List z = reverse(x);
p.n
z.n n p z
x p.n.n.n
z.n.n.n
p.n.n
z.n.n p z x
L.n
r.n n L r
t L.n.n.n
r.n.n.n
L.n.n
r.n.n t
L.n
r.n n L r
t L.n.n.n
r.n.n.n
L.n.n
r.n.n t

24. Cutpoint labels Relate pre-state with post-state Additional roots
Mark cutpoints at and throughout an invocation

25. Cutpoint labels L  {t.n.n.n} t L
Cutpoint label: the set of access paths that point to a cutpoint
when the invoked procedure starts
t.n.n.n L
t.n.n
t.n t L t
L  {t.n.n.n}

26. Sharing patterns L  {t.n.n.n} Cutpoint labels encode sharing patterns
w.n w w p
Stack sharing
Heap sharing
L  {t.n.n.n}

27. , Memory states L = CPL,A L={h.n.n.n} n t L { r ,{t.n.n.n}},
{r.n, {t.n.n.n}.n},
{r.n, {t.n.n.n}.n.n},
{ t, r.n.n.n, {t.n.n.n}.n.n.n} L
r.n
L.n r
t, r.n.n.n
L.n.n.n
r.n.n
L.n.n t
L={h.n.n.n} n

28. Formal semantics Ordinary statements

29. Procedure call semantics

30. Observational equivalence
L  L (Local-heap Storeless Semantics)
G  G (Global-heap Store-based Semantics)
L and G observationally equivalent
when for every access paths , 
  =  (L)    =  (G)

31. Main theorem: semantics equivalence
L  L (Local-heap Storeless Semantics)
G  G (Global-heap Store-based Semantics)
L and G observationally equivalent
st, L  L st, G  G
LSL
GSB
L and L are observationally equivalent

32. Corollaries
Preservation of invariants
 = 
Detection of memory leaks

33. Application Justify soundness of static analysis
May-alias analysis [TAU-TR-26/04]
Shape Analysis

34. Outline Motivating example Why semantics
LSL: Localized Heap Storeless Semantics
Shape abstraction

35. Shape Abstraction Shape descriptors represent unbounded memory states
Conservatively
Bounded way

36. A Shape abstraction L={t.n.n.n} r n n n t L r L r.n L.n r.n.n L.n.n
t, r.n.n.n
L.n.n.n t L

37. A Shape abstraction L=* r n n n t L r.n L.n r L t, r.n.n.n L.n.n.n

38. A Shape abstraction
L=* n r n n t L

39. A Shape abstraction L={t.n.n.n} n n n r t L L=* n r n n t L r L r.n
L.n.n
t, r.n.n.n
L.n.n.n t L
L=* n r n n t L

40. A Shape abstraction L1={h.n} L2={h.n.n} L1 L2 n n n t L=* n L r n n t
r.n.n.n t
L=* n L r n n t

41. Application (joint work with Eran Yahav)
A framework shape analysis using local heaps
Parametric abstraction
Local heap (lists, trees, …)
Sharing patterns

42. Application Single threaded Java programs Properties proved
Absence of null derferences
Listness preservation
API conformance
Recursive  Iterative
Procedural abstraction

43. Procedural abstraction
Inline
Procedure Call
 Program MB
Sec
crt3
22.3
5.4
22.0
6.4
crt3x3
50.7
27.0
26.2
9.2

44. Recursion vs. Iteration
Iterative
Recursive
 Program MB
Sec.
Sec
create
19.7
10.9
19.3
9.3
find
22.3
21.3
23.5
35.8
insert
23.3
41.2
delete
23.2
42.0
24.8
45.3
append
25.1
17.2
25.6
20.2
reverse
23.6
23.7
24.0
33.7
revApp
26.0
45.7
26.5
46.8
merge
25.9
579.7
27.8
91.9
splice
25.5
70.1
26.1
36.9

45. Demo class List { int d; List n; static List reverse(List t) {
if (t == null || t.n == null)
return t;
List tn = t.n;
t.n = null;
List r = reverse(tn);
tn.n = t;
return r; }
static void main() {
List p = create(4);
List q = create(3);
List x = reverse(p);
List y = reverse(q);
List z = reverse(x);

46. Related work Storeless semantics Jonkers, Algorithmic Languages ‘81
Deutsch, ICCL ‘92

47. Related work Interprocedural shape analysis Rinetzky and Sagiv, CC ’01
Global heap
Jeannet et al., SAS ’04
Local heap, relational
Chong and Rugina, SAS ’03
Local heap
Hackett and Rugina, POPL ’05
Staged analysis

48. Related work Local reasoning Ishtiaq and O’Hearn, POPL ‘01
Reynolds, LICS ’02

49. Summary Operational semantics Applications Storeless Local heap
Cutpoints
Equivalence theorem
Applications
Shape analysis
May-alias analysis

50. End www.cs.tau.ac.il/~maon
A Semantics for procedure local heaps and its abstraction
Noam Rinetzky, Jörg Bauer, Thomas Reps, Mooly Sagiv, and Reinhard Wilhelm
AVACS Technical Report 1
Interprocedural functional shape analysis using local heaps
Noam Rinetzky, Mooly Sagiv, and Eran Yahav
School of Computer Science, Tel Aviv University, Technical Report 26/04